package com.android.webserver.security;

import com.android.webserver.db.WebApplication;
import com.android.webserver.tornado.Response;

/**
 * @author Baptiste GOURDIN
 *
 */
public class FramingPrevention
{
	private static String	FRAMEBUSTING_CODE	= "<script type=\"text/javascript\">"
																							+ "if(top.location != location) {"
																							+ "top.location.href = document.location.href;"
																							+ "}" + "</script>";

	static public void verifyResponse(Response response, WebApplication webApp)
	{
		// XXX List of "ok-to-frame" pages

		// X-FRAME-OPTIONS Header
		response.addHeader("X-FRAME-OPTIONS: DENY");

		// Framebusting code for legacy browsers
		if (response.isHTML)
		{
			response.HTMLContent = response.HTMLContent.replaceFirst(
					"\\A(.+)(</head>.*)\\Z", "$1" + FRAMEBUSTING_CODE + "$2");
			response.modifyHeader("Content-Length: " + response.HTMLContent.length());
		}
	}
}
